aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2021-04-01 14:07:34 -0300
committerLeo <thinkabit.ukim@gmail.com>2021-04-01 18:03:16 +0000
commit49cdc04e5d5c4b93cc78fa62df33fe2744e6a43d (patch)
treecc3257be4b87ebc1e906fca84f6bac93284fca77
parentc655f5d2f5e8e4b8ca2d5d8e05908a4bd1334ec3 (diff)
downloadaports-49cdc04e5d5c4b93cc78fa62df33fe2744e6a43d.tar.gz
aports-49cdc04e5d5c4b93cc78fa62df33fe2744e6a43d.tar.bz2
aports-49cdc04e5d5c4b93cc78fa62df33fe2744e6a43d.tar.xz
main/py3-pygments: fix CVE-2021-27291
See: #12551
-rw-r--r--main/py3-pygments/APKBUILD13
-rw-r--r--main/py3-pygments/CVE-2021-27291.patch138
2 files changed, 148 insertions, 3 deletions
diff --git a/main/py3-pygments/APKBUILD b/main/py3-pygments/APKBUILD
index 74df61e4a9..637264ecba 100644
--- a/main/py3-pygments/APKBUILD
+++ b/main/py3-pygments/APKBUILD
@@ -3,7 +3,7 @@
pkgname=py3-pygments
_pkgname=Pygments
pkgver=2.5.2
-pkgrel=0
+pkgrel=1
pkgdesc="A syntax highlighting package written in Python."
url="http://pygments.org/"
arch="noarch"
@@ -11,12 +11,18 @@ license="BSD-2-Clause"
depends="python3 py3-setuptools"
checkdepends="py3-pytest"
subpackages="$pkgname-doc::noarch"
-source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz"
+source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz
+ CVE-2021-27291.patch
+ "
builddir="$srcdir/$_pkgname-$pkgver"
replaces="py-pygments" # Backwards compatibility
provides="py-pygments=$pkgver-r$pkgrel" # Backwards compatibility
+# secfixes:
+# 2.5.2-r1:
+# - CVE-2021-27291
+
build() {
python3 setup.py build
}
@@ -50,4 +56,5 @@ doc() {
default_doc
}
-sha512sums="d6715ca26cdb68d4c771bb530b2395805025c14c78d9099b033d3410ea239c41033fb611e43e39cbaa4ac38078a09324d8cfde42269129be0a096dcc13586859 Pygments-2.5.2.tar.gz"
+sha512sums="d6715ca26cdb68d4c771bb530b2395805025c14c78d9099b033d3410ea239c41033fb611e43e39cbaa4ac38078a09324d8cfde42269129be0a096dcc13586859 Pygments-2.5.2.tar.gz
+5ef840000d920fce4c89103b1f81ee6edcd23e356028567aa340cd124069dec783803261c9ca6e4e1b061839f845a279245f1f6a6410034becf0f76e45f0eeac CVE-2021-27291.patch"
diff --git a/main/py3-pygments/CVE-2021-27291.patch b/main/py3-pygments/CVE-2021-27291.patch
new file mode 100644
index 0000000000..d28028c6d2
--- /dev/null
+++ b/main/py3-pygments/CVE-2021-27291.patch
@@ -0,0 +1,138 @@
+From 2e7e8c4a7b318f4032493773732754e418279a14 Mon Sep 17 00:00:00 2001
+From: Georg Brandl <georg@python.org>
+Date: Mon, 11 Jan 2021 09:46:34 +0100
+Subject: [PATCH] Fix several exponential/cubic complexity regexes found by Ben
+ Caller/Doyensec
+
+---
+ pygments/lexers/archetype.py | 2 +-
+ pygments/lexers/factor.py | 4 ++--
+ pygments/lexers/jvm.py | 1 -
+ pygments/lexers/matlab.py | 6 +++---
+ pygments/lexers/objective.py | 4 ++--
+ pygments/lexers/templates.py | 2 +-
+ pygments/lexers/varnish.py | 2 +-
+ 8 files changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/pygments/lexers/archetype.py b/pygments/lexers/archetype.py
+index 65046613d..26f5ea8c9 100644
+--- a/pygments/lexers/archetype.py
++++ b/pygments/lexers/archetype.py
+@@ -58,7 +58,7 @@ class AtomsLexer(RegexLexer):
+ (r'P((\d*(\.\d+)?[YyMmWwDd]){1,3}(T(\d*(\.\d+)?[HhMmSs]){,3})?|'
+ r'T(\d*(\.\d+)?[HhMmSs]){,3})', Literal.Date),
+ (r'[+-]?(\d+\.\d*|\.\d+|\d+)[eE][+-]?\d+', Number.Float),
+- (r'[+-]?(\d+)*\.\d+%?', Number.Float),
++ (r'[+-]?\d*\.\d+%?', Number.Float),
+ (r'0x[0-9a-fA-F]+', Number.Hex),
+ (r'[+-]?\d+%?', Number.Integer),
+ ],
+diff --git a/pygments/lexers/factor.py b/pygments/lexers/factor.py
+index be7b30dff..9200547f9 100644
+--- a/pygments/lexers/factor.py
++++ b/pygments/lexers/factor.py
+@@ -265,7 +265,7 @@ class FactorLexer(RegexLexer):
+ (r'(?:<PRIVATE|PRIVATE>)\s', Keyword.Namespace),
+
+ # strings
+- (r'"""\s+(?:.|\n)*?\s+"""', String),
++ (r'"""\s(?:.|\n)*?\s"""', String),
+ (r'"(?:\\\\|\\"|[^"])*"', String),
+ (r'\S+"\s+(?:\\\\|\\"|[^"])*"', String),
+ (r'CHAR:\s+(?:\\[\\abfnrstv]|[^\\]\S*)\s', String.Char),
+@@ -322,7 +322,7 @@ class FactorLexer(RegexLexer):
+ 'slots': [
+ (r'\s+', Text),
+ (r';\s', Keyword, '#pop'),
+- (r'(\{\s+)(\S+)(\s+[^}]+\s+\}\s)',
++ (r'(\{\s+)(\S+)(\s[^}]+\s\}\s)',
+ bygroups(Text, Name.Variable, Text)),
+ (r'\S+', Name.Variable),
+ ],
+diff --git a/pygments/lexers/jvm.py b/pygments/lexers/jvm.py
+index 62dfd45e5..9a9397c2d 100644
+--- a/pygments/lexers/jvm.py
++++ b/pygments/lexers/jvm.py
+@@ -981,7 +981,6 @@ class CeylonLexer(RegexLexer):
+ (r'(import)(\s+)', bygroups(Keyword.Namespace, Text), 'import'),
+ (r'"(\\\\|\\[^\\]|[^"\\])*"', String),
+ (r"'\\.'|'[^\\]'|'\\\{#[0-9a-fA-F]{4}\}'", String.Char),
+- (r'".*``.*``.*"', String.Interpol),
+ (r'(\.)([a-z_]\w*)',
+ bygroups(Operator, Name.Attribute)),
+ (r'[a-zA-Z_]\w*:', Name.Label),
+diff --git a/pygments/lexers/matlab.py b/pygments/lexers/matlab.py
+index 4823c6a7e..578848623 100644
+--- a/pygments/lexers/matlab.py
++++ b/pygments/lexers/matlab.py
+@@ -137,7 +137,7 @@ class MatlabLexer(RegexLexer):
+ (r'.', Comment.Multiline),
+ ],
+ 'deffunc': [
+- (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
++ (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+ bygroups(Whitespace, Text, Whitespace, Punctuation,
+ Whitespace, Name.Function, Punctuation, Text,
+ Punctuation, Whitespace), '#pop'),
+@@ -638,7 +638,7 @@ class OctaveLexer(RegexLexer):
+ (r"[^']*'", String, '#pop'),
+ ],
+ 'deffunc': [
+- (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
++ (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+ bygroups(Whitespace, Text, Whitespace, Punctuation,
+ Whitespace, Name.Function, Punctuation, Text,
+ Punctuation, Whitespace), '#pop'),
+@@ -710,7 +710,7 @@ class ScilabLexer(RegexLexer):
+ (r'.', String, '#pop'),
+ ],
+ 'deffunc': [
+- (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
++ (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+ bygroups(Whitespace, Text, Whitespace, Punctuation,
+ Whitespace, Name.Function, Punctuation, Text,
+ Punctuation, Whitespace), '#pop'),
+diff --git a/pygments/lexers/objective.py b/pygments/lexers/objective.py
+index 34e4062f6..38ac9bb05 100644
+--- a/pygments/lexers/objective.py
++++ b/pygments/lexers/objective.py
+@@ -261,11 +261,11 @@ class LogosLexer(ObjectiveCppLexer):
+ 'logos_classname'),
+ (r'(%hook|%group)(\s+)([a-zA-Z$_][\w$]+)',
+ bygroups(Keyword, Text, Name.Class)),
+- (r'(%config)(\s*\(\s*)(\w+)(\s*=\s*)(.*?)(\s*\)\s*)',
++ (r'(%config)(\s*\(\s*)(\w+)(\s*=)(.*?)(\)\s*)',
+ bygroups(Keyword, Text, Name.Variable, Text, String, Text)),
+ (r'(%ctor)(\s*)(\{)', bygroups(Keyword, Text, Punctuation),
+ 'function'),
+- (r'(%new)(\s*)(\()(\s*.*?\s*)(\))',
++ (r'(%new)(\s*)(\()(.*?)(\))',
+ bygroups(Keyword, Text, Keyword, String, Keyword)),
+ (r'(\s*)(%end)(\s*)', bygroups(Text, Keyword, Text)),
+ inherit,
+diff --git a/pygments/lexers/templates.py b/pygments/lexers/templates.py
+index 33c06c4c4..5c3346b4c 100644
+--- a/pygments/lexers/templates.py
++++ b/pygments/lexers/templates.py
+@@ -1405,7 +1405,7 @@ class EvoqueLexer(RegexLexer):
+ # see doc for handling first name arg: /directives/evoque/
+ # + minor inconsistency: the "name" in e.g. $overlay{name=site_base}
+ # should be using(PythonLexer), not passed out as String
+- (r'(\$)(evoque|overlay)(\{(%)?)(\s*[#\w\-"\'.]+[^=,%}]+?)?'
++ (r'(\$)(evoque|overlay)(\{(%)?)(\s*[#\w\-"\'.]+)?'
+ r'(.*?)((?(4)%)\})',
+ bygroups(Punctuation, Name.Builtin, Punctuation, None,
+ String, using(PythonLexer), Punctuation)),
+diff --git a/pygments/lexers/varnish.py b/pygments/lexers/varnish.py
+index 23653f7a1..9d358bd7c 100644
+--- a/pygments/lexers/varnish.py
++++ b/pygments/lexers/varnish.py
+@@ -61,7 +61,7 @@ def analyse_text(text):
+ bygroups(Name.Attribute, Operator, Name.Variable.Global, Punctuation)),
+ (r'(\.probe)(\s*=\s*)(\{)',
+ bygroups(Name.Attribute, Operator, Punctuation), 'probe'),
+- (r'(\.\w+\b)(\s*=\s*)([^;]*)(\s*;)',
++ (r'(\.\w+\b)(\s*=\s*)([^;\s]*)(\s*;)',
+ bygroups(Name.Attribute, Operator, using(this), Punctuation)),
+ (r'\{', Punctuation, '#push'),
+ (r'\}', Punctuation, '#pop'),